Password salting: make your passwords smarter, stronger and simpler

Password “salting” can make your logins easier and more secure

Your average computer scientist isn’t a fan of passwords. They’re easy to hack, and easy to guess. Compared to more modern security techniques, they have more cons than pros. But there’s a simple trick anyone can use to make passwords more secure- and easier to remember at the same time. It uses an encryption technique called “password salting”.

What is password salting?

Password salting is combining your old password with something unique to make a new password. In the same way cooks add salt to food to improve flavor, you can “salt” your passwords to improve security. The basic idea is very simple:

1) start with a basic password,

2) add something extra (i.e. the salt),

3) combine your basic password with your salt to make an improved password.

For example, say you get a message from Microsoft that it’s time to change your password. You go to the Microsoft website and when you get to the new password prompt…

[ screenshot ]

…you type in a normal password:

Strawb3rry

This is a pretty basic password, using a common English word found in any dictionary, with an expected capital letter, and a typical number substitution. If you’re like most people, you probably reuse this same basic password for dozens of logins throughout your digital life. So let’s invent an easy way to turn this mediocre password into a stronger one.

Now you’re cooking with salt

The best salt is unique each time it’s used. So make your salting rule based on something about the site or app you are trying to access. That way, your rule will give you a unique salt each time. For example, if your rule is “the first and last letters of the Web address”, you would look in your browser’s address bar and see:

[ screenshot ]

Here, the first and last letters of the Web address are “a” and “m”. So you add “am” to your basic password “Strawb3rry”, and your new Microsoft password would become:

Strawb3rryam

…and that’s password salting.

A host of benefits

There are some great benefits to this technique:

  1. Password length: In general, longer passwords are more secure than shorter ones.
  2. Unique passwords: If someone tries to log in to use your Microsoft password to log into your Google account, they’ll fail… because your salted Google password is “Strawb3rrygm”.
  3. No memorizing: Because the Web address is right there on the screen, you don’t have to remember which password goes with which site. Just remember your rule and you’ll know the salt.

Try not to choose a salt that someone else could easily figure out (such as salting your Microsoft password with the word “microsoft”.) Here’s an example of a rule that seems random, but isn’t:

Strawb3rry5f

That rule is “the number of syllables of the site, plus the letter located at that same number counted backwards from the end of the Web address.”

  • mic-ro-soft-dot-com is “5”
  • the 5th letter from the end of microsoft.com is “f”

Your salting rule doesn’t have to be that tortured, but it is effective:

  • google.com becomes Strawb3rry4. (or 4e if you don’t consider dot (“.”) a real character)
  • amazon.com becomes Strawb3rry5n
  • dmv.ca.gov becomes Strawb3rry8v

…and so on. You can invent any rule you want to make your salt.

Using a password salt can make it much easier to manage a large number of different passwords in your head. Here at Quandary Peak, we often work on cases with lax security, unfortunately. If your case needs testimony or expert opinion about common password practices, just contact us.

 

Jason Frankovitz - Software Engineering Expert
Jason Frankovitz

As a developer and CTO, Jason Frankovitz has been in the trenches of technology for more than 25 years. He has worked as a programmer, software development manager, technical analyst, CTO, and mentor in a wide variety of industries including enterprise software, digital entertainment, and Web-enabled government.